Summary
The dagger Nix package uses a tarball that extracts flat (no top-level directory), requiring sourceRoot = ".". This causes tar to attempt chmod and utime on . (the build root directory) during Nix's unpackPhase, which fails in strict sandbox environments.
Details
The dagger default.nix sets sourceRoot = "." because the release tarballs (e.g., dagger_v0.20.3_linux_arm64.tar.gz) extract their contents directly into the current directory without a containing subdirectory.
During Nix's standard unpackPhase, tar tries to restore permissions and timestamps on . itself. In environments with a strict sandbox (such as the Determinate Nix native Linux builder on macOS), this fails:
chmod-repro-flat> Running phase: unpackPhase
chmod-repro-flat> unpacking source archive /nix/store/...-flat-tarball.tar.gz
chmod-repro-flat> tar: .: Cannot utime: Operation not permitted
chmod-repro-flat> tar: .: Cannot change mode to rwxr-xr-x: Operation not permitted
chmod-repro-flat> tar: Exiting with failure status due to previous errors
chmod-repro-flat> do not know how to unpack source archive /nix/store/...-flat-tarball.tar.gz
The same derivation builds successfully on a native aarch64-linux host where the sandbox is more permissive about operations on the build root.
Minimal reproduction
This can be reproduced without dagger itself. Any flat tarball triggers the issue:
# Works: tarball with a top-level directory
withSubdir = pkgs.stdenv.mkDerivation {
pname = "chmod-repro-subdir";
version = "2.12.1";
src = pkgs.fetchurl {
url = "https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz";
hash = "sha256-jZkUKv2SV28wsM18tCqNxoCZmLxdYH2Idh9RLibH2yA=";
};
dontBuild = true;
installPhase = "mkdir -p $out && touch $out/success";
};
# Fails: flat tarball (no top-level directory)
withoutSubdir = pkgs.stdenv.mkDerivation {
pname = "chmod-repro-flat";
version = "0.0.1";
src = pkgs.runCommand "flat-tarball.tar.gz" { } ''
mkdir -p tmp && echo "hello" > tmp/file.txt
tar czf $out -C tmp .
'';
sourceRoot = ".";
dontBuild = true;
installPhase = "mkdir -p $out && cp file.txt $out/";
};Suggested fix
Structure the release tarballs with a top-level directory (e.g., dagger_v0.20.3_linux_arm64/dagger instead of just dagger). This is standard tarball convention and would allow removing sourceRoot = "." from the Nix derivation. GoReleaser supports this via the wrap_in_directory option.
Alternatively, the default.nix could work around the issue by overriding unpackPhase to extract into a subdirectory:
unpackPhase = ''
mkdir source
tar xzf $src -C source
cd source
'';
sourceRoot = "source";
Environment
- macOS aarch64-darwin (Apple Silicon)
- Determinate Nix 3.17.3 with native Linux builder
- Building for aarch64-linux
- dagger 0.20.3
Summary
The dagger Nix package uses a tarball that extracts flat (no top-level directory), requiring
sourceRoot = ".". This causestarto attemptchmodandutimeon.(the build root directory) during Nix'sunpackPhase, which fails in strict sandbox environments.Details
The dagger
default.nixsetssourceRoot = "."because the release tarballs (e.g.,dagger_v0.20.3_linux_arm64.tar.gz) extract their contents directly into the current directory without a containing subdirectory.During Nix's standard
unpackPhase,tartries to restore permissions and timestamps on.itself. In environments with a strict sandbox (such as the Determinate Nix native Linux builder on macOS), this fails:The same derivation builds successfully on a native aarch64-linux host where the sandbox is more permissive about operations on the build root.
Minimal reproduction
This can be reproduced without dagger itself. Any flat tarball triggers the issue:
Suggested fix
Structure the release tarballs with a top-level directory (e.g.,
dagger_v0.20.3_linux_arm64/daggerinstead of justdagger). This is standard tarball convention and would allow removingsourceRoot = "."from the Nix derivation. GoReleaser supports this via thewrap_in_directoryoption.Alternatively, the
default.nixcould work around the issue by overridingunpackPhaseto extract into a subdirectory:Environment